Security Policies and Security Models

Brewer and Nash Model (Chinese Wall)

Manu asked an awesome question today. I really love it, so I keep it in my blog as well.


This is an awesome question! Thanks for asking, Manu! The following is my two cents:

  • A policy is the management intent formally expressed to correct or affect the behavior of an entity. Security policies are policies to enforce the CIA; they are one source of security requirements.
  • A model is typically a structural representation of an entity (or detail description or scaled representation, as per NIST’s definition).
  • A model is part of the solution domain, while the policy belongs to the problem domain.
  • A security model as a design has to “formalize” (define precisely) the security policies and propose a solution to address their security requirements.
Bell-LaPadula Model

For example, a security policy may mandate that the system shall not result in the unauthorized disclosure of information. A security model may “formalize” the unauthorized disclosure of information as follows:

  1. Information shall not flow from a high-security level to a lower one.
  2. Information shall not flow to unauthorized entities.

It may propose a design in the meantime that uses:

  1. a state machine to prove the system is secure and
  2. a lattice framework to control information flow.

To sum up, a security model is a solution that addresses the requirements conveyed through policies and a design that dictates the implementation.

Leave a Reply